Pseudo public key encryption

ABSTRACT

According to the present invention, a secret key cryptosystem and tamper-proof hardware are used to realize a pseudo public key cryptosystem at a low cost. A trap-door one-way function is substantially realized with the use of tamper-proof hardware. Each user performs communication using equipment provided with hardware having the same capabilities described below. Such hardware retains association between an ID and a key. In response to a request from a user, the hardware issues and stores an ID, and it can perform decryption and generation of a MAC (message authentication code) with a key associated with the ID. A user publishes his ID. When performing encryption, a message sender encrypts a message using the published ID. A third person can perform decryption with the ID only by analyzing the mechanism in the hardware. However, the hardware has a capability of destroying itself when such an act is attempted.

FIELD OF THE INVENTION

The present invention relates to a method and system for a public keyencryption, and in particular to a method and system for realizing apseudo public key cryptosystem at a low cost.

BACKGROUND ART

Public key encryption methods, which are especially important amongtoday's encryption techniques, are widely used for encryption, signatureand authentication. An algorithm for realizing a public key cryptosystemgenerally requires a very high cost of calculation. One of practicalmethods to realize a public key cryptosystem is an RSA cryptography. TheRSA cryptography requires an operation of raising a plaintext or acipher text to the power of the number (an encryption exponent or adecryption exponent) obtained from a value of the Eulerian function ofn, which is a product of two large prime numbers and then determiningthe residue of n, and the cost of this operation is very high. In orderto enhance the security of a key, the bit number of n is required to belarge. However, the cost of calculation required for RSA cryptographywith a large bit number is very high. Though measures such as performingsuch an operation with dedicated hardware may be taken to seek a highspeed, this may impose a development and manufacture cost burden oraffect product flexibility. Because of such a situation, the cost of acryptosystem using a public key is high, and it is difficult toincorporate it in an apparatus which is inexpensively mass-produced.

Also known is elliptic-curve cryptography with a smaller bit number andan equivalent strength in comparison with an RSA cryptography. However,though the cost of operations required for encryption (scalarmultiplication of a point on an elliptic curve defined on a finite body,and the like) is lower in comparison with that of modulo exponentiation,the cryptography similarly requires expensive operations, and therefore,it is still difficult to incorporate it in an apparatus which isinexpensively mass-produced. Furthermore, there is also proposed amethod for realizing a public key cryptosystem with the use of a secretkey cryptosystem and tamper-free hardware. In this method, a receiverencrypts his own secret key with a secret key of a third-party body andpublishes it. A sender decrypts it with the secret key of a third-partybody, encrypts a message with the obtained secret key of the receiverand sends it. The receiver decrypts it with his own secret key. Becauseencryption with the secret key of the third-party body, decryption withthe secret key of the third-party body and encryption with the secretkey of the receiver are performed in temper-proof hardware, security isensured. In this method, however, the sender and the receiver have touse different hardware, and both of their secret keys are required touse the same hardware. This method is similar to an approach such as anID-based cryptosystem, in which a public key is distributed not via acertification body, in that an ID is published. In this method, a keygeneration body generates a user's private key from an unique ID of theuser, and anyone can generate the user's public key from the user's ID.This method is convenient with regard to distribution of a public key.However, the nature of the trap-door one-way function in the RSAcryptography and the like is utilized for encryption-decryption of amessage, and the cost required for the processing is as high as that ofcommon public key cryptosystems.

Patent Document 1 Published Unexamined Patent Application No. 2004-70712

SUMMARY OF THE INVENTION

In a first aspect, the present invention provides methods and systemsfor realizing a pseudo public key cryptosystem at a low cost.

In another aspect, the present invention provides methods and systemscapable of more inexpensively realizing encrypted informationcommunication and code-signed communication with the use of a publickey.

In another aspect, the present invention provides methods and systemsenabling information processing and communication to be performed withhigh security maintained, on a terminal such as a mobile terminal onwhich signature is frequently performed and for which instantaneousprocessing is required.

In another aspect, the present invention provides methods and systemsfor realizing a function which requires an expensive operation usingpseudo operations.

According to the present invention, a secret key cryptosystem andtamper-proof hardware are used to realize a pseudo public keycryptosystem at a low cost. A trap-door one-way function, which isconsidered essential for constitution of a public key cryptosystemgenerally, requires an “expensive” operation. Such a function issubstantially realized with the use of tamper-proof hardware. Each userperforms communication using equipment provided with hardware having thesame capabilities described below. Such hardware retains associationbetween an ID and a key. In response to a request from a user, thehardware issues and stores an ID, and it can perform decryption andgeneration of a message authentication code (hereinafter referred to asa MAC) with a key associated with the ID. Though this hardware canperform encryption and verification of a MAC with any given ID, itcannot perform decryption and generation of a MAC. A user publishes hisID. When performing encryption, a message sender encrypts a messageusing the published ID of a message receiver and using hardware havingthe same capabilities as the receiver's hardware. A person can performdecryption with the ID only by analyzing the mechanism in the hardware.However, the hardware has a capability of destroying itself when such anact is attempted.

Thus, according to the present invention, it is possible to realizeencrypted information communication and code-signed communication withthe use of a public key at a low cost. By realizing the presentinvention on a mobile terminal which has recently been used for more andmore various purposes, especially on an inexpensive and mass-producedterminal on which signing is frequently performed and from whichprocessing immediacy is required, it is possible to enable informationprocessing and communication requiring high-level security managementeven on such a terminal.

BRIEF DESCRIPTION OF THE DRAWINGS

These, and further, aspects, advantages, and features of the inventionwill be more apparent from the following detailed description of apreferred embodiment and the appended drawings, wherein:

FIG. 1 is a block diagram of hardware of the present invention;

FIG. 2 is a diagram showing the details of an encryption-authenticationsection;

FIG. 3 a diagram illustrating sending-receiving protocols of the presentinvention;

FIG. 4 is a diagram illustrating other sending-receiving protocols ofthe present invention;

FIG. 5 shows an example of applying the present invention to an ID-basedcryptosystem; and

FIG. 6 shows an example of applying the present invention to a mobilephone.

DESCRIPTION OF SYMBOLS

-   -   100 . . . System    -   101 . . . Encryption-authentication section    -   102 . . . Tampering detection section    -   201 . . . ID issuance-registration section    -   206 . . . ID storage section    -   210 . . . Key generation section    -   209 . . . Seed storage section    -   207 . . . First key acquisition section    -   208 . . . Second key acquisition section    -   202 . . . Generation section    -   204 . . . Verification section    -   205 . . . Encryption section    -   203 . . . Decryption section    -   520 . . . ID storage body

DETAILED DESCRIPTION OF THE INVENTION

The present invention provides methods, apparatus and systems forrealizing a pseudo public key cryptosystem at a low cost. The inventionalso provides methods, apparatus and systems capable of moreinexpensively realizing encrypted information communication andcode-signed communication with the use of a public key.

The present invention provides methods, apparatus and systems forenabling information processing and communication to be performed withhigh security maintained, on a terminal such as a mobile terminal onwhich signature is frequently performed and for which instantaneousprocessing is required. The present invention further provides methods,apparatus and systems for realizing a function which requires anexpensive operation using pseudo operations.

In an example embodiment of the present invention, a secret keycryptosystem and tamper-proof hardware are used to realize a pseudopublic key cryptosystem at a low cost. A trap-door one-way function,which is considered essential for constitution of a public keycryptosystem generally, requires an “expensive” operation. Such afunction is substantially realized with the use of tamper-proofhardware. Each user performs communication using equipment provided withhardware having the same capabilities described below. Such hardwareretains association between an ID and a key. In response to a requestfrom a user, the hardware issues and stores an ID, and it can performdecryption and generation of a message authentication code (hereinafterreferred to as a MAC) with a key associated with the ID. Though thishardware can perform encryption and verification of a MAC with any givenID, it cannot perform decryption and generation of a MAC. A userpublishes his ID. When performing encryption, a message sender encryptsa message using the published ID of a message receiver and usinghardware having the same capabilities as the receiver's hardware. Aperson can perform decryption with the ID only by analyzing themechanism in the hardware. However, the hardware has a capability ofdestroying itself when such an act is attempted.

When a symmetric function is used, it is basically difficult to deriveK2 from K1, when plaintext is denoted by P, a ciphertext by C, a publickey by K1, and a private key by K2.C=F(P)=H(P,K1)P=F ⁻¹(C)=H(C,K2)

As for the function F satisfying the above, if it is virtuallyimpossible for one who does not know K2 to calculate F⁻¹, then a publickey cryptosystem can be constituted. In the present invention, afunction F of a secret key K by inexpensive calculation is prepared, andthe capability of F is hidden in tamper-proof hardware. Meanwhile,K=G(ID), a one-to-one function hidden in hardware, is prepared so thatthe following are satisfied, where ID is an identifier of the secretkey.C=F(P)=H(P,G(ID))P=F ⁻¹(C)=H(C,G(Id))

In this case, the ID is published as a pseudo public key so that anyonecan calculate G(ID) when performing encryption or verification of a MAC.On the other hand, when decryption or generation of a MAC is performed,only a valid owner of the ID can calculate G(ID). Thereby, a trap-doorone-way function F realized by hardware is constructed, and a pseudopublic key cryptosystem is realized.

As an advantageous apparatus of the present invention, there is used anapparatus including tamper-proof hardware which comprises anencryption-authentication section for performing issuance of an ID,encryption and authentication in response to a request by a user and atampering detection section for detecting voltage change or pressurechange to electrically destroy the encryption-authentication section.

Pseudo public key encryption is performed by means of this apparatus.The encryption-authentication section of the apparatus comprises: an IDissuance-registration section for issuing an ID in response to a requestby a user and storing the ID in a storage section; a key generationsection for generating a key corresponding to the ID using a one-to-onefunction and outputting the ID; a first key acquisition section for, inresponse to a request by a user for decryption or generation of amessage authentication code, comparing an inputted ID and the ID storedin the ID storage section and, if the IDs are corresponding to eachother, handing over the ID to the key generation section to output a keygenerated by the key generation section; a second key acquisitionsection for, in response to a request by a user for encryption orverification of a message with a message authentication code attachedthereto, handing over an inputted ID to the key generation section tooutput a key generated by the key generation section; a messageauthentication code generation section for handing over an inputted IDto the first key acquisition section and, with the use of a keyoutputted from the first key acquisition section, calculating andoutputting a message authentication code of an inputted message; amessage authentication code verification section for handing over aninputted ID to the second key acquisition section, calculating a messageauthentication code of an inputted message with the use of a keyoutputted from the second key acquisition section, comparing theobtained message authentication code and an inputted messageauthentication code, and, if the message authentication codes arecorresponding to each other, returning information indicating that theverification has succeeded to the user; an encryption section forhanding over an inputted ID to the second key acquisition section,encrypting inputted plaintext with the use of a key outputted from thesecond key accuisition section and returning the result to a user; and adecryption section for handing over an inputted ID to the firstacquisition section and, with the use of a key outputted from the firstkey acquisition section, decrypting and outputting inputted encryptedtext.

An example of a method for performing pseudo public key encryption withthe use of this apparatus includes the steps described below. The methodincludes, in sending a message between a sending user and a receivinguser having the apparatus A and the apparatus B, respectively, the stepsof: the apparatus A selecting and storing a sending user ID, and thenreturning the sending user ID to the sending user, for publication ofthe sending user ID; the apparatus B selecting and storing a receivinguser ID, and then returning the receiving user ID to the receiving user,for publication of the receiving user ID; the apparatus A acquiring akey corresponding to the sending user ID, generating a messageauthentication code and returning the message authentication code to thesending user; in response to a request by the sending user forencryption, the apparatus A acquiring a key corresponding to thereceiving user ID, encrypting the message and the message authenticationcode and returning the encrypted message and message authentication codeto the sending user; in response to a request by the receiving user fordecryption of the encryption, the apparatus B acquiring a keycorresponding to the receiving user ID, decrypting the received messageand returning the decrypted message to the receiving user; and inresponse to a request by the receiving user for verification of themessage authentication code, the apparatus B acquiring a keycorresponding to the sending ID, verifying the message authenticationcode and returning the result to the receiving user. The above summaryof the present invention does not enumerate all the necessarycharacteristics of the present invention, and a sub-combination of thesecharacteristics may be the invention.

Advantages of the invention include making it possible to realizeencrypted information communication and code-signed communication withthe use of a public key at a low cost. By realizing the presentinvention on a mobile terminal which has recently been used for more andmore various purposes, especially on an inexpensive and mass-producedterminal on which signing is frequently performed and from whichprocessing immediacy is required, it is possible to enable informationprocessing and communication requiring high-level security managementeven on such a terminal.

FIG. 1 shows a block diagram of hardware of the present invention. Asystem 100 is the entire system with an encryption-authenticationsection 101 and a tampering detection section 102 included therein. Theencryption-authentication section 101 performs services such as issuanceof an ID, encryption and authentication in response to a request from auser. The tampering detection section 102 detects voltage change orpressure change caused when a user attempts analysis of an internalcircuit of the system 100, and electrically destroys theencryption-authentication section 101.

FIG. 2 is a diagram showing the details of the encryption-authenticationsection 101 in FIG. 1. An ID issuance-registration section 201 issues aunique ID in response to a request from a user, and stores it in an IDstorage section 206. A key generation section 210 generates and outputsa key based on an inputted ID and a seed stored in a seed storagesection 209. When a user attempts decryption or generation of a MAC, afirst key acquisition section 207 compares an inputted ID with the IDstored in the ID storage section 206. If the IDs are the same, the firstkey acquisition section 207 hands over the ID to the key generationsection 210, and outputs a key returned from the key generation section210. If the IDs are not the same, an error is returned. When a userattempts encryption or verification of a MAC-attached message, a secondkey acquisition section 208 hands over an inputted ID to the keygeneration section 210, and outputs a key returned from the keygeneration section 210. With a message and an ID as input, a MACgeneration section 202 hands over the ID to the first key acquisitionsection 207 and acquires a key. If an error is not returned from the keyacquisition section, the MAC generation section 202 calculates andoutputs a MAC of the message. If an error is returned from the keyacquisition section, the MAC generation section 202 returns an error tothe user. With the message, the MAC and the ID as input, a MACverification section 204 hands over the ID to the second key acquisitionsection 208 and acquires a key. The MAC generation section 202calculates and outputs a MAC of the message based on the key, andcompares the obtained MAC with the inputted MAC. If the MACs are thesame, information indicating that the verification has succeeded isreturned to the user. Otherwise, information indicating that theverification has failed is returned to the user. With plain text and theID as input, an encryption section 205 hands over the ID to the secondkey acquisition section 208 and acquires a key. The encryption section205 encrypts the plaintext based on the key, and returns the result tothe user. With the ciphertext and the ID as input, a decryption section203 hands over the ID to the first key acquisition section 207 andacquires a key. If an error is not returned from the key acquisitionsection, the decryption section 203 decrypts and outputs the ciphertextbased on the key. If an error is returned from the key acquisitionsection, the decryption section 203 returns an error to the user.

As understood from the above description, the hardware of the presentinvention has a capability of performing encryption-decryption andgeneration-verification of a MAC with a particular key, andtamper-proofness against hacking operation. The hardware is providedwith the following interfaces:

-   -   an interface for issuing and registering an ID associated with a        key in response to a request from a user;    -   an interface for decrypting a message with a given ID only when        the ID is registered;    -   an interface for generating a MAC from a decrypted message;    -   an interface for encrypting a message with a given ID; and    -   an interface for verifying the MAC of a message.

Next, a method for exchanging information in the present invention willbe described. An encrypted message is exchanged as described below.First, a message receiver requests an apparatus in which the system 100of FIG. 1 is incorporated to issue an ID. The system 100 hands over anID associated with a particular key to the user and registers the ID.The receiver publishes the received ID. A message sender uses thepublished ID to encrypt a message to be sent, through an apparatus inwhich a system 100 having the same capabilities is incorporated.Substantially, only the receiver can decrypt the message.

A message with a MAC attached thereto is exchanged as described below.First, a message sender requests an apparatus in which the system 100 isincorporated to issue an ID. The system 100 hands over an ID associatedwith a particular key to the user and registers the ID. The sendergenerates a MAC for a message to be sent with the use of the receivedID, through the same system 100. Substantially, only the sender cangenerate the MAC. The sender sends the message, the MAC and the ID. Areceiver of the message verifies the received MAC for the receivedmessage with the use of the ID through an apparatus in which a system100 having the same capabilities is incorporated.

A method for further enhancing the security of the present invention isas follows. In order that only a receiver can decrypt a message and onlya sender can generate a MAC, it is desirable that the same ID should notbe maliciously used, which is a common problem in public keycryptosystem. In order to achieve this, the following methods will beemployed.

Key Dilution by Secondary Coding

When an ID is issued, it is encoded with higher entropy by includingredundant information therein. Thereby, it is possible to significantlyreduce the possibility of the same ID being handed over to users.Furthermore, coding algorithms are varied among apparatus to makeinverse encoding difficult. This makes it very difficult for a maliciousperson to identify a published ID and the ID registered with his ownsystem 100 to be the same. Furthermore, by considering an intentionalfailure of decryption to be a malicious act and then stopping thefunctionalities when such an act is detected, it is possible tosubstantially prevent a malicious person from performing decryption tocheck the sameness of an ID. For example, this mechanism can be realizedby a method of padding a random value. The space for an original ID isdefined as X bits, and a Y-bit space is further added in order to dilutea key. In this additional space, a random Y-bit number is put when anoriginal ID is issued. The (X+Y)-bit information obtained in this way isshuffled to obtain an ID to be published. Though this shuffle may be asimple shuffle such as combination of shifts and exchanges, thealgorithm is hidden in the tamper-proof system 100. Thereby, theprobability of the same keys being issued can be reduced to one 2ˆY-thof the probability in the case of using the X-bit key immediately. Thepublished (X+Y)-bit original key can be also simply implemented byimplementing an inverse-operation algorithm in tamper-proof hardware andremoving the redundantly added space.

Registration of ID

An issued ID is validated by a certification body. By the certificationbody guaranteeing the uniqueness of the ID, invalid use of the ID isprevented.

Restriction of Issuance of ID

As means for preventing issuance of the same ID, the number of issuancesis limited, or charge for issuance is imposed.

In order to prevent equipment for which an ID has been issued once frombeing used by other users, user authentication is required to use theequipment.

A method for realizing the present invention in combination with anID-based cryptosystem will be described. An ID of the present inventionfunctions not as “an ID of an individual” but as “an ID of a key”.Therefore, generally, the present invention needs a certification bodyto publish an ID similarly to other (non-ID-based) public keycryptosystems. Meanwhile, since the object of an ID-based cryptosystemcorresponds to the object of the present invention, it is also possibleto use both systems in combination with each other. In this case, a keygeneration body generates a user's private key so that the “ID of anindividual” is adapted to be the “ID of a key”. This can be achieved,for example, by enabling only the key generation body to issue andregister any given ID. In this case, a public key can be known not viathe certification body, and therefore, it is possible to construct asystem enabling more inexpensive encryption.

Embodiment 1

Description will be made on an embodiment in the case where a sufficientnumber of keys can be stored in the system 100 (including each interfaceand sending-receiving protocols) with the use of FIG. 3. It is assumedthat a user A and a user B communicate with each other using the system100 in FIG. 1 (hardware A and hardware B). It is also assumed that asufficient number of keys are stored in the system 100, each of which isgiven an ID specific thereto. If the pieces of hardware are the same,mapping of the ID and the key is also the same.

The user A requests an ID from the hardware A (310). The hardware Aselects an ID (hereinafter referred to as ID-A) at random from an IDspace (320), and returns the ID to the user A. The ID is also stored inan ID storage section. The user A publishes the ID-A. Meanwhile, theuser B has also performed the same processing as the user A. That is,the user B requests an ID from the hardware B (310). The hardware Bselects an ID (hereinafter referred to as ID-B) at random from an IDspace, and returns the ID to the user B. The ID is also stored in an IDstorage section (330). The user B publishes the ID-B. Suppose that theuser A sends a message to the user B. First, the message is given a MACwith the key of the user A, and then it is encrypted with the key of theuser B. Any MAC and any encryption algorithm can be selected withoutmaking any change in the configuration of this specification. Forexample, HMAC-SHA1 or AES may be used.

The user A creates a message to be sent in the following procedure. Theuser A hands over the message and the ID-A to the hardware A, andrequests generation of a MAC. The hardware A checks whether the ID-A isstored in the ID storage section (340). If the ID-A is stored, then thehardware A acquires a key corresponding to the ID-A from the key storagesection (350), generates a MAC (360), and returns it to the user A. Ifthe ID-A is not stored, then the hardware A returns an error to the userA. The user A hands over the (message|MAC) and the ID-B to the hardwareA and requests encryption. The hardware A acquires a key correspondingto the ID-B from the key storage section, decrypts the (message|MAC)(370), and returns it to the user A.

Meanwhile, the user B processes the received message in the followingprocedure. The user B hands over the received message and the ID-B tothe hardware B and requests decryption. The hardware B checks whetherthe ID-B is stored in the ID storage section (340). If the ID-B isstored, then the hardware B acquires a key corresponding to the ID-Bfrom the key storage section (350), decrypts the received message (380),and returns it to the user B. If the ID-B is not stored, then thehardware B returns an error to the user B. The user B hands over themessage, the MAC and the ID-A to the hardware B, and requestsverification of the MAC. The hardware B acquires a key corresponding tothe ID-A from the key storage section, verifies the MAC (390), andreturns the result to the user B.

Embodiment 2

Actually, it is often impossible to a storage capacity enough to store asufficient number of key. Description will be made on an embodiment inthe case where a sufficient number of keys cannot be stored in thesystem 100 with the use of FIG. 4. Only one value (hereinafter referredto as a seed) is stored in the system 100 so that a key is generatedfrom the seed and an ID as appropriate. Any hash algorithm (for example,SHA-1) is used so that a hash value of (ID|seed) is used as a key. Inthis case, the procedure for the user A to create a message to be sentis as follows.

The procedure from the step where the users A and B request an ID andthe hardware selects and stores an ID to the step where each userpublishes his own ID is the same as that of the embodiment describedabove. Suppose that the user A sends a message to the user B. Whencreating a message to be sent, the user A hands over the message and theID-A to the hardware A and requests generation of a MAC. The hardware Achecks whether the ID-A is stored in the ID storage section (440). Ifthe ID-A is stored, then the hardware A generates a key from the seedand the ID-A (450), generates a MAC (460), and returns it to the user A.If the ID-A is not stored, then the hardware A returns an error to theuser A. The user A hands over (message IMAC) and the ID-B to thehardware A, and requests encryption. The hardware A generates a key fromthe seed and the ID-B, encrypts the (message|MAC) (470), and returns itto the user A.

On the other hand, the procedure in which the user B processes areceived message is as follows. The user B hands over the receivedmessage and the ID-B to the hardware B and requests decryption. Thehardware B checks whether the ID-B is stored in the ID storage section(440). If the ID-B is stored, then the hardware B generates a key fromthe seed and the ID-B (450), decrypts the received message (480), andreturns it to the user B. If the ID-B is not stored, then the hardware Breturns an error to the user B. The user B hands over the message, theMAC and the ID-A to the hardware B and requests verification of the MAC.The hardware B generates a key from the seed and the ID-A, verifies theMAC (490), and returns the result to the user B.

Embodiment 3

In the two embodiments described above, there is shown a case where anID is selected at random. Next, an example of applying the presentinvention to an ID-based cryptosystem with the use of FIG. 5. In thiscase, the processing to be performed by the user A in advance is asfollows. The user A hands over the hardware A and the ID-A to an IDstorage body 520, and requests storage of the ID in the hardware (510).The ID storage body hands over the ID-A to the hardware A, and requestsstorage of the ID. The hardware A stores the ID-A in the ID storagesection. The processing to be performed by the user B in advance is thesame. That is, the user B hands over the hardware B and the ID-B to theID storage body 520, and requests storage of the ID in the hardware(510). The ID storage body hands over the ID-B to the hardware B, andrequests storage of the ID. The hardware B stores the ID-B in the IDstorage section. The procedure for the user A to create a message to besent and the procedure for the user B to process a received message arethe same as those in the embodiment 1 or the embodiment 2.

Embodiment 4

In the embodiment 3, a common procedure in an ID-based cryptosystem hasbeen shown. A procedure enabling acquisition of an ID and handing overof equipment to be performed more efficiently is shown in FIG. 6, takinga case of applying this to a mobile phone as an example. Here, the IDstorage mechanism is realized by an equipment manufacturer consigningsale of equipment to a retailer while assuring that an ID is stored inthe equipment only once, and the retailer acquiring an appropriate andunique ID by cooperation of the infrastructure, storing it in theequipment and handing over the equipment to a user. Specifically, aphone number is set as an ID. At step 610, the equipment manufacturerdetermines one one-to-one function f for acquiring a key from the ID(phone number). Next, at step 620, f(ID) is included in a tamper-proofapparatus. The equipment manufacturer prepares a write-once storage inthe apparatus in advance. Finally, at step 630, the retailer writes theID there to register it with the equipment so that it is to be input off(ID). Here, the same as shown in the embodiment 1 or the embodiment 2,decryption of a message and generation of a MAC with f(ID) is possibleonly on equipment with which the ID is registered. On the other hand, onequipment with which the ID is not registered, decryption of a messagewith f(ID) is possible. Verification of a MAC is also possible.

A message is exchanged as follows. The users A and B purchase a mobilephones and obtain unique phone numbers NA and NB, respectively. In thecase of encryption, the user A encrypts a message M with f (NB) as akey. The user A sends the encrypted message E(M) to the user B. The userB decrypts the E(M) with the use of f(NB). It is only the user B thatcan perform decryption with f(NB). In the case of signature, the user Agenerates a MAC of the message M with f(NA) as a key, and sends the Mand the MAC to the user B. In this case, it is only the user A that cangenerate the MAC of the M with the use of f(NA). The user B can verifythe sent message M and MAC and check the signature by the user A. Asimilar mechanism can be applied to apparatuses other than a mobilephone. For example, when an information appliance is connected to theInternet, an IP address or a host name can be used as an ID.

The present invention can be realized in hardware, software, or acombination of hardware and software. It may be implemented as a methodhaving steps to implement one or more functions of the invention, and/orit may be implemented as an apparatus having components and/or means toimplement one or more steps of a method of the invention described aboveand/or known to those skilled in the art. A visualization tool accordingto the present invention can be realized in a centralized fashion in onecomputer system or in a distributed fashion where different elements arespread across several interconnected computer systems. Any kind ofcomputer system—or other apparatus adapted for carrying out the methodsand/or functions described herein—is suitable. A typical combination ofhardware and software could be a general purpose computer system with acomputer program that, when being loaded and executed, controls thecomputer system such that it carries out the methods described herein.The present invention can also be embedded in a computer programproduct, which comprises all the features enabling the implementation ofthe methods described herein, and which—when loaded in a computersystem—is able to carry out these methods. Methods of this invention maybe implemented by an apparatus which provides the functions carrying outthe steps of the methods. Apparatus and/or systems of this invention maybe implemented by a method that includes steps to produce the functionsof the apparatus and/or systems.

Computer program means or computer program in the present contextinclude any expression, in any language, code or notation, of a set ofinstructions intended to cause a system having an information processingcapability to perform a particular function either directly or afterconversion to another language, code or notation, and/or afterreproduction in a different material form.

Thus the invention includes an article of manufacture which comprises acomputer usable medium having computer readable program code meansembodied therein for causing one or more functions described above. Thecomputer readable program code means in the article of manufacturecomprises computer readable program code means for causing a computer toeffect the steps of a method of this invention. Similarly, the presentinvention may be implemented as a computer program product comprising acomputer usable medium having computer readable program code meansembodied therein for causing a function described above. The computerreadable program code means in the computer program product comprisingcomputer readable program code means for causing a computer to affectone or more functions of this invention. Furthermore, the presentinvention may be implemented as a program storage device readable bymachine, tangibly embodying a program of instructions executable by themachine to perform method steps for causing one or more functions ofthis invention.

It is noted that the foregoing has outlined some of the more pertinentobjects and embodiments of the present invention. This invention may beused for many applications. Thus, although the description is made forparticular arrangements and methods, the intent and concept of theinvention is suitable and applicable to other arrangements andapplications. It will be clear to those skilled in the art thatmodifications to the disclosed embodiments can be effected withoutdeparting from the spirit and scope of the invention. The describedembodiments ought to be construed to be merely illustrative of some ofthe more prominent features and applications of the invention. Otherbeneficial results can be realized by applying the disclosed inventionin a different manner or modifying the invention in ways known to thosefamiliar with the art.

1) An apparatus comprising tamper-proof hardware, the hardwarecomprising an encryption-authentication section for performing issuanceof an ID, encryption, and authentication, in response to a request by auser, and a tampering detection section for detecting one of voltagechange and pressure change, to electrically destroy theencryption-authentication section, the encryption-authentication sectioncomprising: an ID issuance-registration section for issuing an ID inresponse to a request by a user, and storing the ID in a storagesection; a key generation section for generating a key corresponding tothe ID using a one-to-one function, and outputting the key; a first keyacquisition section for, in response to a request by a user fordecryption or generation of a message authentication code, comparing aninputted ID and the ID stored in the ID storage section, and, if the IDsare corresponding to each other, handing over the ID to the keygeneration section to output a key generated by the key generationsection; a second key acquisition section for, in response to a requestby a user for encryption or verification of a message with a messageauthentication code attached thereto, handing over an inputted ID to thekey generation section to output a key generated by the key generationsection; a message authentication code generation section for handingover an inputted ID to the first key acquisition section, and, with theuse of a key outputted from the first key acquisition section,calculating and outputting a message authentication code of an inputtedmessage; a message authentication code verification section for handingover an inputted ID to the second key acquisition section, calculating amessage authentication code of an inputted message with the use of a keyoutputted from the second key acquisition section, comparing theobtained message authentication code and an inputted messageauthentication code, and, if the message authentication codes arecorresponding to each other, returning information indicating that theverification has succeeded to the user; an encryption section forhanding over an inputted ID to the second key acquisition section,encrypting inputted plaintext with the use of a key outputted from thesecond key acquisition section, and returning the result to a user; anda decryption section for handing over an inputted ID to the firstacquisition section and, with the use of a key outputted from the firstkey acquisition section, decrypting and outputting inputted encryptedtext. 2) The apparatus according to claim 1, wherein theencryption-authentication section has a seed storage section, and thekey generation section generates a key, based on a seed stored in theseed storage section and the ID stored in the ID storage section, andoutputs the key. 3) The apparatus according to claim 1, wherein the IDissuance-registration section includes redundant information in an IDwhen issuing the ID. 4) The apparatus according to claim 1, wherein theencryption-authentication section further has a write-once storage areaso that registration of the ID is enabled by writing the ID in thewrite-once storage area. 5) The apparatus according to claim 1, where inissuance-registration of the ID is performed only by a key generationbody. 6) A method for performing pseudo public key encryption anddigital signaling with the use of an apparatus including tamper-proofhardware which comprises an encryption-authentication section forperforming issuance of an ID, encryption, and authentication, inresponse to a request by a user, and a tampering detection section fordetecting voltage change or pressure change to electrically destroy theencryption-authentication section, the encryption-authentication sectionof the apparatus comprising: an ID issuance-registration section forissuing an ID in response to a request by a user, and storing the ID ina storage section; a key generation section for generating a keycorresponding to the ID using a one-to-one function, and outputting thekey; a first key acquisition section for, in response to a request by auser for decryption, or generation of a message authentication code,comparing an inputted ID and the ID stored in the ID storage section,and, if the IDs are corresponding to each other, handing over the ID tothe key generation section to output a key generated by the keygeneration section; a second key acquisition section for, in response toa request by a user for encryption, or verification of a message with amessage authentication code attached thereto, handing over an inputtedID to the key generation section to output a key generated by the keygeneration section; a message authentication code generation section forhanding over an inputted ID to the first key acquisition section, and,with the use of a key outputted from the first key acquisition section,calculating and outputting a message authentication code of an inputtedmessage; a message authentication code verification section for handingover an inputted ID to the second key acquisition section, calculating amessage authentication code of an inputted message with the use of a keyoutputted from the second key acquisition section, comparing theobtained message authentication code and an inputted messageauthentication code, and, if the message authentication codes arecorresponding to each other, returning information indicating that theverification has succeeded to the user; an encryption section forhanding over an inputted ID to the second key acquisition section,encrypting inputted plaintext with the use of a key outputted from thesecond key acquisition section, and returning the result to a user; anda decryption section for handing over an inputted ID to the firstacquisition section, and, with the use of a key outputted from the firstkey acquisition section, decrypting and outputting inputted encryptedtext; and the method comprising, in sending a message between a sendinguser and a receiving user, having the apparatus A and the apparatus B,respectively, the steps of: the apparatus A selecting and storing asending user ID, and then returning the sending user ID to the sendinguser, for publication of the sending user ID; the apparatus B selectingand storing a receiving user ID, and then returning the receiving userID to the receiving user, for publication of the receiving user ID; theapparatus A acquiring a key corresponding to the sending user ID,generating a message authentication code, and returning the messageauthentication code to the sending user; in response to a request by thesending user for encryption, the apparatus A acquiring a keycorresponding to the receiving user ID, encrypting the message and themessage authentication code, and returning the encrypted message andmessage authentication code to the sending user; in response to arequest by the receiving user for decryption of the encryption, theapparatus B acquiring a key corresponding to the receiving user ID,decrypting the received message, and returning the decrypted message tothe receiving user; and in response to a request by the receiving userfor verification of the message authentication code, the apparatus Bacquiring a key corresponding to the sending ID, verifying the messageauthentication code, and returning the result to the receiving user. 7)The method according to claim 6, wherein the encryption-authenticationsection has a seed storage section, and the key generation sectiongenerates a key based on a seed stored in the seed storage section andthe ID stored in the ID storage section, and outputs the key. 8) Themethod according to claim 6, wherein the ID issuance-registrationsection includes redundant information in an ID when issuing the ID. 9)The method according to claim 6, wherein the encryption-authenticationsection further has a write-once storage area so that registration ofthe ID is enabled by writing the ID in the write-once storage area. 10)The method according to claim 6, wherein issuance-registration of the IDis performed only by a key generation body. 11) A method comprising:providing tamper-proof hardware having capabilities to perform issuanceof an ID, encryption, and authentication, in response to a request by auser; detecting one of voltage change and pressure change, andelectrically destroying at least one of said capabilities; issuing andstoring a first ID in response to a request by a user; generating afirst key corresponding to the first ID using a one-to-one function, andoutputting the first key; in response to a request by the user for oneof decryption of a message authentication code and generation of amessage authentication code, comparing an inputted ID and the first ID,and if the inputted ID and the first ID correspond to each other,handing over the first ID and outputting the first key; in response to arequest by the user for encryption or verification of a message with amessage authentication code attached thereto, handing over the inputtedID and outputting a second key; handing over the inputted ID to thefirst key acquisition section, and with the use of the first keycalculating and outputting a message authentication code of an inputtedmessage; a message authentication code verification section for handingover the inputted ID to the second key acquisition section, calculatinga message authentication code of the inputted message with the use ofthe second key, comparing the obtained message authentication code andan inputted message authentication code, and, if the messageauthentication codes correspond to each other, returning information tothe user indicating that the verification has succeeded; handing overthe inputted ID, encrypting inputted plaintext with the use of thesecond key, and returning the result to a user; and handing over theinputted ID, and with the use of the first key, decrypting andoutputting inputted encrypted text. 12) The method according to claim11, wherein at least one key is based on a stored seed. 13) The methodaccording to claim 11, further comprising including redundantinformation in each issued ID. 14) The method according to claim 11,further comprising enabling a write-once storage such that registrationof the ID occurs by writing the ID in a write-once storage area. 15) Themethod according to claim 11, wherein issuance-registration of the ID isperformed only by a key generation body. 16) An article of manufacturecomprising a computer usable medium having computer readable programcode means embodied therein for causing encryption functions, thecomputer readable program code means in said article of manufacturecomprising computer readable program code means for causing a computerto effect the steps of claim
 11. 17) A program storage device readableby machine, tangibly embodying a program of instructions executable bythe machine to perform method steps for encryption functions, saidmethod steps comprising the steps of claim
 11. 18) An article ofmanufacture comprising a computer usable medium having computer readableprogram code means embodied therein for causing encryption functions,the computer readable program code means in said article of manufacturecomprising computer readable program code means for causing a computerto effect the steps of claim
 6. 19) A program storage device readable bymachine, tangibly embodying a program of instructions executable by themachine to perform method steps for encryption functions, said methodsteps comprising the steps of claim
 6. 20) A computer program productcomprising a computer usable medium having computer readable programcode means embodied therein for causing encryption functions, thecomputer readable program code means in said computer program productcomprising computer readable program code means for causing a computerto effect the functions of claim 1.